Eng-Tips is the largest engineering community on the Internet

Intelligent Work Forums for Engineering Professionals

Register Log in
  • Congratulations waross on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Boeing 737 Max8 Aircraft Crashes and Investigations [Part 4] 28

Status
Not open for further replies.
Sparweb

Sparweb

Aerospace
May 21, 2003
5,103
0
36
CA
This is the continuation from:

thread815-445840
thread815-450258
thread815-452000

This topic is broken into multiple threads due to the long length to be scrolled, and many images to load, creating long load times for some users and devices. If you are NEW to this discussion, please read the above threads prior to posting, to avoid rehashing old discussions.

Thank you everyone for your interest! I have learned a lot from the discussion, too.

My personal point of view, since this falls close to (but not exactly within) my discipline, is the same as that expressed by many other aviation authorities: that there were flaws in an on-board system that should have been caught. We can describe the process that "should have happened" in great detail, but the reason the flaws were allowed to persist is unknown. They are probably too complex to reveal by pure reasoning from our position outside of the agencies involved. Rather, an investigation of the process that led to the error inside these agencies will bring new facts to light, and that process is under way, which will make its results public in due time. It may even reveal flaws in the design process that "should have" produced a reliable system. Every failure is an opportunity to learn - which is the mandate of the agencies that examine these accidents.

Some key references:

Ethiopian CAA preliminary report

Indonesian National Transportation Safety Committee preliminary report

The Boeing 737 Technical Site


No one believes the theory except the one who developed it. Everyone believes the experiment except the one who ran it.
STF
 
Replies continue below

Recommended for you

Sort by date Sort by votes
The sequence of how this unfolded (as described in the Seattle Times article) is sufficiently subtle and complicated that fixing the design and certification process itself is going to be a huge challenge, and probably a very lengthy process.


 
Upvote 0 Downvote
Another takeaway from the article would be that reversion to using both AoA sensors and possibly additional sensors info for more accurate detection of stall could minimize the activation of MCAS in the first place.

There's also the question of whether MCAS is overly aggressive, but that's unclear because the two examples had erroneous excessive AoA indications.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! faq731-376 forum1529 Entire Forum list
 
Upvote 0 Downvote
IRStuff said:
There's also the question of whether MCAS is overly aggressive, but that's unclear because the two examples had erroneous excessive AoA indications.
Click to expand...

It's for the very reason that the system wasn't thoroughly certified that we don't know the answer to that question. A proper system safety analysis would start by classifying the hazards the system is meant to address, and then reveal the hazards posed when the system fails to function. I've attended these "system safety murder boards" before (not as a chief but only as a participant) and it seems like being cruel and unforgiving is the way to do it right.

No one believes the theory except the one who developed it. Everyone believes the experiment except the one who ran it.
STF
 
Upvote 0 Downvote
"cruel and unforgiving"

No doubt. Assuming the article is mostly correct, MCAS was further hampered by forcing it to do two different things, essentially using the single AoA sensor. Clearly, serious errors were made in the safety analysis that allowed that to happen.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! faq731-376 forum1529 Entire Forum list
 
Upvote 0 Downvote
But it also uncovered the extremely small window that the manual trim system will work with your normal pilot strength without having to go for aerobatic rollercoaster procedures to unload the trim stab. Which somehow managed to get through when the 800 was certified more than likely by the same process. That said it would take a system failure followed by flight upset to get out of that window, without another system input.

Just have a look at the 800's elevator compared to other types, its tiny compared to the Stab. 6m2 v 32m2

Also the "average" pilot has changed since the 60's. It is not uncommon now to fly with 60kg females. They do struggle with the older types without power assist controls. Powered no problem.

Maybe they are having to move MCAS from controlling the stab to controlling the Elevator aka a feel system type input to stick force. So if anything has air data sensor input it needs to go in via elevator otherwise they need to change the relative sizes of the Elevator V trim stab.

I can't see how they can turn down the gain on the MCAS system as it was there to sort out a flight envelope certification issue. Its either needed or its not... We can be pretty certain it is required just as STS was required to get the 800 through. They started out with a relatively slow small input and ended up with a lot more due to the aircraft not being certifiable without that input for an extremely small seldom explored part of the flight envelope.


 
Upvote 0 Downvote
Aside from turning down the gain, there are a number of other things that can be done, including making sure that it doesn't activate when those specific design conditions don't actually exist. The while reason these threads exist here, and we're discussing this issue, is that MCAS activated twice when it wasn't supposed to.

What happens when it activates when it is supposed to is another, separate, matter; that requires some understanding whether the multiple activations actually make sense, particularly in the context of the infamous 3 seconds.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! faq731-376 forum1529 Entire Forum list
 
Upvote 0 Downvote
It seems arguably obvious to offer an MCAS cutout switch, separate from the electric trim cutout switch. But then 'MCAS' would have to be mentioned, and trained.

And they'd need to prove that such a change to the cutout switches is actually appropriate. But that involves admitting all the previously discounted failure modes.

Such a hardware change would thus slow certification. But it might be considered to be essential by those now more wary of software having such authority.

Or relying on software to limit its own authority. An approach that might not be accepted.

The certification phase will probably dominate the schedule. 2020 won't just be hindsight; it must be figuring in the schedule by now.

 
Upvote 0 Downvote
What's your views on the trim stab window of airspeed and pilot manual recovery using the wheel?

And the relative power of the trim stab V elevators?

And the sensibility of allowing anything to control the most powerful control. Per say if the Elevators were driven full deflection you could still recover relatively easily and land the plane using the trim. We know what happens the other way round.

To me you need to get the rules concerning the base systems sorted, only then you can fix the secondary and tertiary systems.

If they put in a secondary powered trim system which created a larger window for recovery that would change the "status" of the manual trim system relegat it to tertiary backup which the small recovery window could be acceptable for.



 
Upvote 0 Downvote
"Per se" = "of itself"

We know that when the elevators are at full deflection it is difficult to move the stabilizer; that was the primary problem. High elevator loads overpowered the manual control of the stabilizer.

The powered trim worked. The pilots chose not to use it to offset the MCAS inputs.
 
Upvote 0 Downvote
The pilots on Ethiopian Air did use it (electric trim) , just not all the way back to "neutral" before they pulled the contacts. The AD was unfortunately rather vague on this with a "can be used" and also gave the now false impression that manual trim control could be used at any time.

Then when they tried to use it again they were going so fast that the rather brutal movement of the stabilizer made them hesitant to keep on using it.

Then MCAS kicked in again, lifted them off their seats with negative G and they couldn't correct with elevator trim alone.

It's interesting to note that in any of the scenarios listed which were looked at during design / certification, they don't really seem to have considered what else happens if your AOA signal goes loopy, e.g. the stick shaker, alarms, discrepancy of instruments etc and still think the pilot is going to work all this out.

It was only by having a third pilot in the Lion Air plane on the flight before the one that crashed that spotted what was happening and recommended the correct course of action.

I think alistair has hit the nail in terms of what might be going on in looking at whether the design really should be other way around for elevator vs stabilizer conflicts given the disparity of surface areas.

Remember - More details = better answers
Also: If you get a response it's polite to respond to it.
 
Upvote 0 Downvote
I wonder if the time spent on MCAS would have been better spent finding ways to mount the engines under the wings.
With a billion dollars and a month or so, I am sure that the problems of under wing mounting could have been solved.
In hind sight, a billion dollars and a few months would have been a lot cheaper than the alternative.
Sure there are lots of problems.
When faced with a difficult problem, some walk away, some try harder.


Bill
--------------------
"Why not the best?"
Jimmy Carter
 
Upvote 0 Downvote
Just as a reminder of the chart for the Ethiopian flight.

ethiopian_b38m_et-avj_190310_7_zaeef3.jpg
 
Upvote 0 Downvote
"they don't really seem to have considered what else happens if your AOA signal goes loopy, e.g. the stick shaker, alarms, discrepancy of instruments etc and still think the pilot is going to work all this out."

This is the big issue, and something which will have to be looked at and we will only know what went on when the CVR is released.

MCAS is only the system which has highlighted other issues.

Your in theory meant to have at least double redundancy on all critical systems. ie the ones if they go wrong will kill you. Triple redundancy if possible.

"We know that when the elevators are at full deflection it is difficult to move the stabilizer; that was the primary problem. "

Its impossible to move the manual trim wheel at elevator deflections under half deflection and full forward trim cannot be overpowered by full aft elevator. Stick forces increase by 50lbs per 2.5degrees out of trim.

And your right for certification it is now the primary problem. There is no redundancy at all for the electric powered trim system across the full range of the flight envelope. Boeing deems the pilot to be the backup system as long as they react and sort out what the hell is going on in under 3 seconds. Once your outside that under 8000ft agl your dead.

Basically in the time it takes you to read this post. With the stick shaker going, egpws giving it don't sink, airspeed mismatch and finally the overspeed alarm as well. I think you can see on the chart when it was likely both pilots were pulling on the stick at the end.

MCAS and how its programmed is a side issue now. What training the pilots had and if their reactions were correct are a discussion point. But until they sort out the trim and elevator system and get it safe with redundancy across the full flight envelope it can't be tackled. If the manual trim had been able to be used across the full speed range nobody would be dead. It can't so there is no redundancy in the trim system.

BTW the MMEL says you can go flying with one of the electric trim switches unserviceable.
 
Upvote 0 Downvote
Spending a billion dollars on re-designing wings or engine mountings is silly if a <$5k device is going to make the plane porpoise like crazy because it's pinned to rails. If the AoA sensors were working correctly or corrected with other data, MCAS wouldn't have been activated at all, and if the AoA sensors were working or corrected with other data, MCAS wouldn't have repeatedly activated. The "primary" problem is still the AoA sensors; they had redundancy that wasn't used, but the raw failure rate is what's truly at issue.

Had these flights gone through what MCAS was designed to fix with working AoA sensors, it's likely both planes would have survived, since they wouldn't have had conflicting information and they wouldn't have had MCAS repeatedly activating, since the first activation would have produced plausible AoA responses.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! faq731-376 forum1529 Entire Forum list
 
Upvote 0 Downvote
As A. Heaton noted above, the 23 jun Seattle Times article is informative on how the design of MCAS evolved during production,, apparently without review by the originating designers. It yet remains hard to believe that the engineers that originally limited the MCAS max degrees of declination did not know this limit was later greatly increased ( to account for low speed stall) and that the use of backup sensors was deleted. To have the lives of 200 passengers dependent on the reliability of a single sensor makes one wonder at the possibility of other gross errors that slip by the "regulators". Perhaps the use of multiple sensors for this anti-stall function was patented by airbus??

"...when logic, and proportion, have fallen, sloppy dead..." Grace Slick
 
Upvote 0 Downvote
Yes but they have the trim system dynamics to deal with now. So a third AoA vane and a new box of tricks ain't going to get it flying again.

I would say MCAS is now a secondary issue.

Plus the rest of the certification will be looked at.

This isn't a solve one problem get a tick in the box and fly again.

Once its recertified then the training to fly it will start which will cause other issues.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Alistair_Heaton
  • Question
Boeing again pt2. 12
2 3
Replies
53
Views
308
waross
waross
GregLocock
  • News
Boeing again 47
21 22 23
Replies
441
Views
442
Sym P. le
Sym P. le
dik
  • Locked
  • Question
Boeing 737 Max8 Aircraft Crashes and Investigations [Part 9] 2
6 7 8
Replies
155
Views
156
Alistair_Heaton
Alistair_Heaton
tommj
  • Locked
  • Question
Boeing 737 MAX production hit by a new defect in part from Spirit AeroSystems 1
2 3
Replies
40
Views
99
Alistair_Heaton
Alistair_Heaton
EnzoAus
  • Locked
  • Question
Atlas Air Boeing 747-8 cargo plane - possible uncontained engine failure 4
2
Replies
25
Views
72
3DDave
3DDave
Back
Top